BACKGROUND
While the format of
META http-equiv="refresh"
and
META name="refresh"
type HTML headers was never exactly defined by they W3C, web
browsers have been interpreting this instruction since early
releases. Web application developers got used to the clients'
behaviour and using this tag to initiate URL redirections
became common.

As most web browsers, Internet Explorer 6 interprets this tag,
too. However, in contrary to other web browsers, IE6's HTML
parser uses a pretty loose rule set which facilitates
injection of malicious code into it when browsing web
applications which insufficiently sanitize user supplied
input.

For example, a web application may use the following PHP code
(redirect.php) to redirect a web browser to a different URL:

Obviously, a web application developer must make sure that no
malicious code can be injected along the 'goto' parameter passed
via the HTTP GET method. A common method to sanitize user input
would be to hardcode the protocol part of the URL ('http://')
contained in 'goto', and to URL-encode any double quotes. This
would assumely make it difficult to inject any malicious client
side code.

ISSUE
Unlickily, and in contrary to other web browsers, Internet
Explorer 6 allows multiple 'URL=' parts in the 'content'
attribute and will only interpret the last value given.
Resulting from this, it is still possible to inject code into a
web application using the input sanitization described above
which will be executed when using Internet Explorer 6.

For example, Internet Explorer 6 will interpret the following
statement:

Making use of Internet Explorers loose parsing, a code such as
this value of the 'goto' URL parameter will work, too:

%20%20%20%20%20;UrL=jaVAscRIpt:alert('XSS');

will work, too. As any of ';', 'UrL', '=', 'jaVAscRIpt' and ':'
may be legal content passed to the traget web site (think of a
search term passed to a search engine), sanitizing this is not
too easy.

As the expected behaviour would be that a web browser would
either return an error message for incorrect syntax or would
attempt to interpret anything after the first 'URL=' part as the
target URL, Internet Explorer behaves in a pretty uncommon way. A
fix on the user agent side would be the best solution for this
issue.